TS-1668: Added HSTS configuration options to ATS
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/4cf9975e Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/4cf9975e Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/4cf9975e Branch: refs/heads/5.0.x Commit: 4cf9975e9b8ff0cc5510707443da0adafbb962cb Parents: f057cdc Author: Bryan Call <[email protected]> Authored: Wed Jan 15 13:38:07 2014 -0800 Committer: Bryan Call <[email protected]> Committed: Wed Jan 15 13:38:07 2014 -0800 ---------------------------------------------------------------------- CHANGES | 2 ++ .../configuration/records.config.en.rst | 15 +++++++++++++++ mgmt/RecordsConfig.cc | 5 +++++ proxy/InkAPI.cc | 19 +++++++++++++++++++ proxy/InkAPITest.cc | 4 +++- proxy/api/ts/ts.h.in | 4 ++++ proxy/hdrs/HdrToken.cc | 3 +++ proxy/hdrs/MIME.cc | 6 ++++++ proxy/hdrs/MIME.h | 3 +++ proxy/http/HttpConfig.cc | 4 ++++ proxy/http/HttpConfig.h | 5 ++++- proxy/http/HttpTransact.cc | 6 ++++++ proxy/http/HttpTransactHeaders.cc | 19 +++++++++++++++++++ proxy/http/HttpTransactHeaders.h | 1 + 14 files changed, 94 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index 2c56ffd..a688aea 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache Traffic Server 4.2.0 + *) [TS-1668] Added HSTS configuration options to ATS + *) [TS-2495] Reduce the size of HttpVCTableEntry. *) [TS-2491] stop other esi plugin unit test programs after error. http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/doc/reference/configuration/records.config.en.rst ---------------------------------------------------------------------- diff --git a/doc/reference/configuration/records.config.en.rst b/doc/reference/configuration/records.config.en.rst index f0d7f8a..c3aac2e 100644 --- a/doc/reference/configuration/records.config.en.rst +++ b/doc/reference/configuration/records.config.en.rst @@ -2046,6 +2046,21 @@ SSL Termination entries in seconds. If it is ``0``, then the SSL library will use a default value, typically 300 seconds. +.. ts:cv:: CONFIG proxy.config.ssl.hsts_max_age INT -1 + + This configuration specifies the max-age value that will be used + when adding the Strict-Transport-Security header. The value is in seconds. + A value of 0 will set the max-age value to 0 and should remove the + hsts entry from the cleint. A value of -1 will disable this feature and + not set the header. This option is only used for HTTPS request and the + header will not be set on HTTP requests. + +.. ts:cv:: CONFIG proxy.config.ssl.hsts_include_subdomains INT 0 + + Enables (``1``) or disables (``0``) to add the includeSubdomain value + to the Strict-Transport-Security header. proxy.config.ssl.hsts_max_age + will need to be set to a non -1 value for this value to be added. + Client-Related Configuration ---------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/mgmt/RecordsConfig.cc ---------------------------------------------------------------------- diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index 3e3fe5c..abae558 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -1275,6 +1275,11 @@ RecordElement RecordsConfig[] = { , {RECT_CONFIG, "proxy.config.ssl.session_cache.timeout", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL} , + {RECT_CONFIG, "proxy.config.ssl.hsts_max_age", RECD_INT, "-1", RECU_DYNAMIC, RR_NULL, RECC_INT, "[-1-2147483648]", RECA_NULL} + , + {RECT_CONFIG, "proxy.config.ssl.hsts_include_subdomains", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} + , + //############################################################################## //# ICP Configuration //############################################################################## http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/InkAPI.cc ---------------------------------------------------------------------- diff --git a/proxy/InkAPI.cc b/proxy/InkAPI.cc index 3c40ce5..2be442d 100644 --- a/proxy/InkAPI.cc +++ b/proxy/InkAPI.cc @@ -198,6 +198,7 @@ tsapi const char *TS_MIME_FIELD_RETRY_AFTER; tsapi const char *TS_MIME_FIELD_SENDER; tsapi const char *TS_MIME_FIELD_SERVER; tsapi const char *TS_MIME_FIELD_SET_COOKIE; +tsapi const char *TS_MIME_FIELD_STRICT_TRANSPORT_SECURITY; tsapi const char *TS_MIME_FIELD_SUBJECT; tsapi const char *TS_MIME_FIELD_SUMMARY; tsapi const char *TS_MIME_FIELD_TE; @@ -271,6 +272,7 @@ tsapi int TS_MIME_LEN_RETRY_AFTER; tsapi int TS_MIME_LEN_SENDER; tsapi int TS_MIME_LEN_SERVER; tsapi int TS_MIME_LEN_SET_COOKIE; +tsapi int TS_MIME_LEN_STRICT_TRANSPORT_SECURITY; tsapi int TS_MIME_LEN_SUBJECT; tsapi int TS_MIME_LEN_SUMMARY; tsapi int TS_MIME_LEN_TE; @@ -1425,6 +1427,7 @@ api_init() TS_MIME_FIELD_SENDER = MIME_FIELD_SENDER; TS_MIME_FIELD_SERVER = MIME_FIELD_SERVER; TS_MIME_FIELD_SET_COOKIE = MIME_FIELD_SET_COOKIE; + TS_MIME_FIELD_STRICT_TRANSPORT_SECURITY = MIME_FIELD_STRICT_TRANSPORT_SECURITY; TS_MIME_FIELD_SUBJECT = MIME_FIELD_SUBJECT; TS_MIME_FIELD_SUMMARY = MIME_FIELD_SUMMARY; TS_MIME_FIELD_TE = MIME_FIELD_TE; @@ -1498,6 +1501,7 @@ api_init() TS_MIME_LEN_SENDER = MIME_LEN_SENDER; TS_MIME_LEN_SERVER = MIME_LEN_SERVER; TS_MIME_LEN_SET_COOKIE = MIME_LEN_SET_COOKIE; + TS_MIME_LEN_STRICT_TRANSPORT_SECURITY = MIME_LEN_STRICT_TRANSPORT_SECURITY; TS_MIME_LEN_SUBJECT = MIME_LEN_SUBJECT; TS_MIME_LEN_SUMMARY = MIME_LEN_SUMMARY; TS_MIME_LEN_TE = MIME_LEN_TE; @@ -7591,6 +7595,14 @@ _conf_to_memberp(TSOverridableConfigKey conf, HttpSM* sm, OverridableDataType *t case TS_CONFIG_HTTP_ACCEPT_ENCODING_FILTER_ENABLED: ret = &sm->t_state.txn_conf->accept_encoding_filter_enabled; break; + case TS_CONFIG_SSL_HSTS_MAX_AGE: + typ = OVERRIDABLE_TYPE_INT; + ret = &sm->t_state.txn_conf->proxy_response_hsts_max_age; + break; + case TS_CONFIG_SSL_HSTS_INCLUDE_SUBDOMAINS: + typ = OVERRIDABLE_TYPE_BYTE; + ret = &sm->t_state.txn_conf->proxy_response_hsts_include_subdomains; + break; // This helps avoiding compiler warnings, yet detect unhandled enum members. case TS_CONFIG_NULL: @@ -7775,6 +7787,11 @@ TSHttpTxnConfigFind(const char* name, int length, TSOverridableConfigKey *conf, cnf = TS_CONFIG_HTTP_CACHE_HTTP; break; + case 29: + if (!strncmp(name, "proxy.config.ssl.hsts_max_age", length)) + cnf = TS_CONFIG_SSL_HSTS_MAX_AGE; + break; + case 31: if (!strncmp(name, "proxy.config.http.chunking.size", length)) cnf = TS_CONFIG_HTTP_CHUNKING_SIZE; @@ -7891,6 +7908,8 @@ TSHttpTxnConfigFind(const char* name, int length, TSOverridableConfigKey *conf, cnf = TS_CONFIG_HTTP_ORIGIN_MAX_CONNECTIONS; else if (!strncmp(name, "proxy.config.http.cache.required_headers", length)) cnf = TS_CONFIG_HTTP_CACHE_REQUIRED_HEADERS; + else if (!strncmp(name, "proxy.config.ssl.hsts_include_subdomains", length)) + cnf = TS_CONFIG_SSL_HSTS_INCLUDE_SUBDOMAINS; break; case 't': if (!strncmp(name, "proxy.config.http.keep_alive_enabled_out", length)) http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/InkAPITest.cc ---------------------------------------------------------------------- diff --git a/proxy/InkAPITest.cc b/proxy/InkAPITest.cc index 8f97a88..b9945a1 100644 --- a/proxy/InkAPITest.cc +++ b/proxy/InkAPITest.cc @@ -7412,7 +7412,9 @@ const char *SDK_Overridable_Configs[TS_CONFIG_LAST_ENTRY] = { "proxy.config.http.response_header_max_size", "proxy.config.http.negative_revalidating_enabled", "proxy.config.http.negative_revalidating_lifetime", - "proxy.config.http.accept_encoding_filter_enabled" + "proxy.config.http.accept_encoding_filter_enabled", + "proxy.config.ssl.hsts_max_age", + "proxy.config.ssl.hsts_include_subdomains" }; REGRESSION_TEST(SDK_API_OVERRIDABLE_CONFIGS) (RegressionTest * test, int /* atype ATS_UNUSED */, int *pstatus) http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/api/ts/ts.h.in ---------------------------------------------------------------------- diff --git a/proxy/api/ts/ts.h.in b/proxy/api/ts/ts.h.in index a184939..e568b1f 100644 --- a/proxy/api/ts/ts.h.in +++ b/proxy/api/ts/ts.h.in @@ -680,6 +680,8 @@ extern "C" TS_CONFIG_HTTP_NEGATIVE_REVALIDATING_ENABLED, TS_CONFIG_HTTP_NEGATIVE_REVALIDATING_LIFETIME, TS_CONFIG_HTTP_ACCEPT_ENCODING_FILTER_ENABLED, + TS_CONFIG_SSL_HSTS_MAX_AGE, + TS_CONFIG_SSL_HSTS_INCLUDE_SUBDOMAINS, TS_CONFIG_LAST_ENTRY } TSOverridableConfigKey; @@ -903,6 +905,7 @@ extern "C" extern tsapi const char* TS_MIME_FIELD_SENDER; extern tsapi const char* TS_MIME_FIELD_SERVER; extern tsapi const char* TS_MIME_FIELD_SET_COOKIE; + extern tsapi const char* TS_MIME_FIELD_STRICT_TRANSPORT_SECURITY; extern tsapi const char* TS_MIME_FIELD_SUBJECT; extern tsapi const char* TS_MIME_FIELD_SUMMARY; extern tsapi const char* TS_MIME_FIELD_TE; @@ -977,6 +980,7 @@ extern "C" extern tsapi int TS_MIME_LEN_SENDER; extern tsapi int TS_MIME_LEN_SERVER; extern tsapi int TS_MIME_LEN_SET_COOKIE; + extern tsapi int TS_MIME_LEN_STRICT_TRANSPORT_SECURITY; extern tsapi int TS_MIME_LEN_SUBJECT; extern tsapi int TS_MIME_LEN_SUMMARY; extern tsapi int TS_MIME_LEN_TE; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/hdrs/HdrToken.cc ---------------------------------------------------------------------- diff --git a/proxy/hdrs/HdrToken.cc b/proxy/hdrs/HdrToken.cc index 4374d85..72bbbe1 100644 --- a/proxy/hdrs/HdrToken.cc +++ b/proxy/hdrs/HdrToken.cc @@ -107,6 +107,7 @@ static const char *_hdrtoken_strs[] = { "Sender", // NNTP "Server", "Set-Cookie", + "Strict-Transport-Security", "Subject", // NNTP "Summary", // NNTP "Transfer-Encoding", @@ -293,6 +294,7 @@ static HdrTokenFieldInfo _hdrtoken_strs_field_initializers[] = { {"Sender", MIME_SLOTID_NONE, MIME_PRESENCE_NONE, HTIF_NONE}, {"Server", MIME_SLOTID_NONE, MIME_PRESENCE_SERVER, HTIF_NONE}, {"Set-Cookie", MIME_SLOTID_SET_COOKIE, MIME_PRESENCE_SET_COOKIE, (HTIF_MULTVALS)}, + {"Strict-Transport-Security", MIME_SLOTID_NONE, MIME_PRESENCE_NONE, (HTIF_MULTVALS)}, {"Subject", MIME_SLOTID_NONE, MIME_PRESENCE_SUBJECT, HTIF_NONE}, {"Summary", MIME_SLOTID_NONE, MIME_PRESENCE_SUMMARY, HTIF_NONE}, {"TE", MIME_SLOTID_TE, MIME_PRESENCE_TE, (HTIF_COMMAS | HTIF_MULTVALS | HTIF_HOPBYHOP)}, @@ -433,6 +435,7 @@ static const char *_hdrtoken_commonly_tokenized_strs[] = { "Sender", // NNTP "Server", "Set-Cookie", + "Strict-Transport-Security", "Subject", // NNTP "Summary", // NNTP "Transfer-Encoding", http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/hdrs/MIME.cc ---------------------------------------------------------------------- diff --git a/proxy/hdrs/MIME.cc b/proxy/hdrs/MIME.cc index b779589..0313314 100644 --- a/proxy/hdrs/MIME.cc +++ b/proxy/hdrs/MIME.cc @@ -141,6 +141,7 @@ const char *MIME_FIELD_RETRY_AFTER; const char *MIME_FIELD_SENDER; const char *MIME_FIELD_SERVER; const char *MIME_FIELD_SET_COOKIE; +const char *MIME_FIELD_STRICT_TRANSPORT_SECURITY; const char *MIME_FIELD_SUBJECT; const char *MIME_FIELD_SUMMARY; const char *MIME_FIELD_TE; @@ -249,6 +250,7 @@ int MIME_LEN_RETRY_AFTER; int MIME_LEN_SENDER; int MIME_LEN_SERVER; int MIME_LEN_SET_COOKIE; +int MIME_LEN_STRICT_TRANSPORT_SECURITY; int MIME_LEN_SUBJECT; int MIME_LEN_SUMMARY; int MIME_LEN_TE; @@ -323,6 +325,7 @@ int MIME_WKSIDX_RETRY_AFTER; int MIME_WKSIDX_SENDER; int MIME_WKSIDX_SERVER; int MIME_WKSIDX_SET_COOKIE; +int MIME_WKSIDX_STRICT_TRANSPORT_SECURITY; int MIME_WKSIDX_SUBJECT; int MIME_WKSIDX_SUMMARY; int MIME_WKSIDX_TE; @@ -665,6 +668,7 @@ mime_init() MIME_FIELD_SENDER = hdrtoken_string_to_wks("Sender"); MIME_FIELD_SERVER = hdrtoken_string_to_wks("Server"); MIME_FIELD_SET_COOKIE = hdrtoken_string_to_wks("Set-Cookie"); + MIME_FIELD_STRICT_TRANSPORT_SECURITY = hdrtoken_string_to_wks("Strict-Transport-Security"); MIME_FIELD_SUBJECT = hdrtoken_string_to_wks("Subject"); MIME_FIELD_SUMMARY = hdrtoken_string_to_wks("Summary"); MIME_FIELD_TE = hdrtoken_string_to_wks("TE"); @@ -740,6 +744,7 @@ mime_init() MIME_LEN_SENDER = hdrtoken_wks_to_length(MIME_FIELD_SENDER); MIME_LEN_SERVER = hdrtoken_wks_to_length(MIME_FIELD_SERVER); MIME_LEN_SET_COOKIE = hdrtoken_wks_to_length(MIME_FIELD_SET_COOKIE); + MIME_LEN_STRICT_TRANSPORT_SECURITY = hdrtoken_wks_to_length(MIME_FIELD_STRICT_TRANSPORT_SECURITY); MIME_LEN_SUBJECT = hdrtoken_wks_to_length(MIME_FIELD_SUBJECT); MIME_LEN_SUMMARY = hdrtoken_wks_to_length(MIME_FIELD_SUMMARY); MIME_LEN_TE = hdrtoken_wks_to_length(MIME_FIELD_TE); @@ -814,6 +819,7 @@ mime_init() MIME_WKSIDX_SENDER = hdrtoken_wks_to_index(MIME_FIELD_SENDER); MIME_WKSIDX_SERVER = hdrtoken_wks_to_index(MIME_FIELD_SERVER); MIME_WKSIDX_SET_COOKIE = hdrtoken_wks_to_index(MIME_FIELD_SET_COOKIE); + MIME_WKSIDX_STRICT_TRANSPORT_SECURITY = hdrtoken_wks_to_index(MIME_FIELD_STRICT_TRANSPORT_SECURITY); MIME_WKSIDX_SUBJECT = hdrtoken_wks_to_index(MIME_FIELD_SUBJECT); MIME_WKSIDX_SUMMARY = hdrtoken_wks_to_index(MIME_FIELD_SUMMARY); MIME_WKSIDX_TE = hdrtoken_wks_to_index(MIME_FIELD_TE); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/hdrs/MIME.h ---------------------------------------------------------------------- diff --git a/proxy/hdrs/MIME.h b/proxy/hdrs/MIME.h index 264847c..a75e56a 100644 --- a/proxy/hdrs/MIME.h +++ b/proxy/hdrs/MIME.h @@ -352,6 +352,7 @@ extern const char *MIME_FIELD_RETRY_AFTER; extern const char *MIME_FIELD_SENDER; extern const char *MIME_FIELD_SERVER; extern const char *MIME_FIELD_SET_COOKIE; +extern const char *MIME_FIELD_STRICT_TRANSPORT_SECURITY; extern const char *MIME_FIELD_SUBJECT; extern const char *MIME_FIELD_SUMMARY; extern const char *MIME_FIELD_TE; @@ -449,6 +450,7 @@ extern int MIME_LEN_RETRY_AFTER; extern int MIME_LEN_SENDER; extern int MIME_LEN_SERVER; extern int MIME_LEN_SET_COOKIE; +extern int MIME_LEN_STRICT_TRANSPORT_SECURITY; extern int MIME_LEN_SUBJECT; extern int MIME_LEN_SUMMARY; extern int MIME_LEN_TE; @@ -546,6 +548,7 @@ extern int MIME_WKSIDX_RETRY_AFTER; extern int MIME_WKSIDX_SENDER; extern int MIME_WKSIDX_SERVER; extern int MIME_WKSIDX_SET_COOKIE; +extern int MIME_WKSIDX_STRICT_TRANSPORT_SECURITY; extern int MIME_WKSIDX_SUBJECT; extern int MIME_WKSIDX_SUMMARY; extern int MIME_WKSIDX_TE; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpConfig.cc ---------------------------------------------------------------------- diff --git a/proxy/http/HttpConfig.cc b/proxy/http/HttpConfig.cc index 26fa002..be6f0d8 100644 --- a/proxy/http/HttpConfig.cc +++ b/proxy/http/HttpConfig.cc @@ -1164,6 +1164,8 @@ HttpConfig::startup() HttpEstablishStaticConfigByte(c.oride.insert_request_via_string, "proxy.config.http.insert_request_via_str"); HttpEstablishStaticConfigByte(c.oride.insert_response_via_string, "proxy.config.http.insert_response_via_str"); + HttpEstablishStaticConfigLongLong(c.oride.proxy_response_hsts_max_age, "proxy.config.ssl.hsts_max_age"); + HttpEstablishStaticConfigByte(c.oride.proxy_response_hsts_include_subdomains, "proxy.config.ssl.hsts_include_subdomains"); HttpEstablishStaticConfigStringAlloc(c.proxy_request_via_string, "proxy.config.http.request_via_str"); c.proxy_request_via_string_len = -1; @@ -1406,6 +1408,8 @@ HttpConfig::reconfigure() params->proxy_request_via_string_len = (params->proxy_request_via_string) ? strlen(params->proxy_request_via_string) : 0; params->proxy_response_via_string = ats_strdup(m_master.proxy_response_via_string); params->proxy_response_via_string_len = (params->proxy_response_via_string) ? strlen(params->proxy_response_via_string) : 0; + params->oride.proxy_response_hsts_max_age = m_master.oride.proxy_response_hsts_max_age; + params->oride.proxy_response_hsts_include_subdomains = m_master.oride.proxy_response_hsts_include_subdomains; params->url_expansions_string = ats_strdup(m_master.url_expansions_string); params->url_expansions = parse_url_expansions(params->url_expansions_string, ¶ms->num_url_expansions); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpConfig.h ---------------------------------------------------------------------- diff --git a/proxy/http/HttpConfig.h b/proxy/http/HttpConfig.h index b3b9e40..e4790a9 100644 --- a/proxy/http/HttpConfig.h +++ b/proxy/http/HttpConfig.h @@ -406,7 +406,8 @@ struct OverridableHttpConfigParams { share_server_sessions(2), fwd_proxy_auth_to_parent(0), insert_age_in_response(1), anonymize_remove_from(0), anonymize_remove_referer(0), anonymize_remove_user_agent(0), anonymize_remove_cookie(0), anonymize_remove_client_ip(0), anonymize_insert_client_ip(1), - proxy_response_server_enabled(1), insert_squid_x_forwarded_for(1), send_http11_requests(1), + proxy_response_server_enabled(1), proxy_response_hsts_max_age(-1), proxy_response_hsts_include_subdomains(0), + insert_squid_x_forwarded_for(1), send_http11_requests(1), cache_http(1), cache_cluster_cache_local(0), cache_ignore_client_no_cache(1), cache_ignore_client_cc_max_age(0), cache_ims_on_client_no_cache(1), cache_ignore_server_no_cache(0), cache_responses_to_cookies(1), cache_ignore_auth(0), cache_urls_that_look_dynamic(1), cache_required_headers(2), cache_range_lookup(1), @@ -471,6 +472,8 @@ struct OverridableHttpConfigParams { MgmtByte anonymize_insert_client_ip; MgmtByte proxy_response_server_enabled; + MgmtInt proxy_response_hsts_max_age; + MgmtByte proxy_response_hsts_include_subdomains; ///////////////////// // X-Forwarded-For // http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpTransact.cc ---------------------------------------------------------------------- diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc index 14207f0..ff043b2 100644 --- a/proxy/http/HttpTransact.cc +++ b/proxy/http/HttpTransact.cc @@ -7745,6 +7745,12 @@ HttpTransact::build_response(State* s, HTTPHdr* base_response, HTTPHdr* outgoing if (s->next_hop_scheme < 0) s->next_hop_scheme = URL_WKSIDX_HTTP; + // Add HSTS header (Strict-Transport-Security) if max-age is set and the request was https + if (s->orig_scheme == URL_WKSIDX_HTTPS && s->txn_conf->proxy_response_hsts_max_age >= 0) { + Debug("http_hdrs", "hsts max-age=%" PRId64, s->txn_conf->proxy_response_hsts_max_age); + HttpTransactHeaders::insert_hsts_header_in_response(s, outgoing_response); + } + if (s->txn_conf->insert_response_via_string) HttpTransactHeaders::insert_via_header_in_response(s, outgoing_response); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpTransactHeaders.cc ---------------------------------------------------------------------- diff --git a/proxy/http/HttpTransactHeaders.cc b/proxy/http/HttpTransactHeaders.cc index 7c9a3e6..b5ab0fe 100644 --- a/proxy/http/HttpTransactHeaders.cc +++ b/proxy/http/HttpTransactHeaders.cc @@ -879,6 +879,25 @@ HttpTransactHeaders::insert_via_header_in_request(HttpTransact::State *s, HTTPHd header->value_append(MIME_FIELD_VIA, MIME_LEN_VIA, new_via_string, via_string - new_via_string, true); } +void +HttpTransactHeaders::insert_hsts_header_in_response(HttpTransact::State *s, HTTPHdr *header) +{ + char new_hsts_string[64]; + char *hsts_string = new_hsts_string; + const char include_subdomains[] = "; includeSubDomains"; + + // add max-age + int length = snprintf(new_hsts_string, sizeof(new_hsts_string), "max-age=%" PRId64, s->txn_conf->proxy_response_hsts_max_age); + + // add include subdomain if set + if (s->txn_conf->proxy_response_hsts_include_subdomains) { + hsts_string += length; + memcpy(hsts_string, include_subdomains, sizeof(include_subdomains)); + length += sizeof(include_subdomains); + } + + header->value_set(MIME_FIELD_STRICT_TRANSPORT_SECURITY, MIME_LEN_STRICT_TRANSPORT_SECURITY, new_hsts_string, length); +} void HttpTransactHeaders::insert_via_header_in_response(HttpTransact::State *s, HTTPHdr *header) http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4cf9975e/proxy/http/HttpTransactHeaders.h ---------------------------------------------------------------------- diff --git a/proxy/http/HttpTransactHeaders.h b/proxy/http/HttpTransactHeaders.h index 8dbbdab..0fa3a03 100644 --- a/proxy/http/HttpTransactHeaders.h +++ b/proxy/http/HttpTransactHeaders.h @@ -72,6 +72,7 @@ public: static void insert_server_header_in_response(const char *server_tag, int server_tag_size, HTTPHdr * header); static void insert_via_header_in_request(HttpTransact::State *s, HTTPHdr *header); static void insert_via_header_in_response(HttpTransact::State *s, HTTPHdr *header); + static void insert_hsts_header_in_response(HttpTransact::State *s, HTTPHdr *header); static bool is_request_proxy_authorized(HTTPHdr * incoming_hdr);
